Zero Trust is becoming quite the buzzword these days, with organizations and government agencies releasing more guidance and strategies for their Zero Trust initiatives every day[1][2][3]. With so much new information being published all the time, understanding the core of what Zero Trust is can be a bit of a challenge for those new to the topic. So, let’s de-mystify Zero Trust and get started with a solid foundation of zero trust principles.
What is Zero Trust?
To put it simply, Zero Trust is a strategy for securing modern enterprise networks. It combines an intense focus on least privilege, secure access, and monitoring to provide enterprises with far more effective and efficient security than traditional approaches. The name ‘Zero Trust’ comes from the shift in assumptions about trust within a network. Zero Trust networks provide zero implicit trust to actors on a network and instead opt for authenticating and authorizing everything. But before we dive into the future of network security, let’s take a look at how we got here.
How Did We Get Here?
Traditionally, security teams have focused on securing the perimeters of their networks. Like a moat surrounding a castle, network boundaries were heavily guarded by placing firewalls and performing deep packet inspection of traffic that came into the ‘trusted’ internal network. These measures protected internal resources from the rest of the internet and allowed users on the internal network to use and consume those resources.
As technology advanced and requirements grew more demanding, remote users often needed to access these protected resources, meaning security teams needed ways to allow external access to what were once internal-only resources. The explosion of the cloud and movement of workloads and data outside the traditional boundary also presented its own challenges for security teams. Each of these remote resources and workloads needed their own set of security measures and protections to prevent unauthorized access. The complexity of securing an enterprise network was multiplying, and the frequency and severity of attacks grew with it. It was clear that the ‘castle and moat’ strategy had failed.
Zero Trust to the Rescue!
How do we address these modern enterprise needs, to secure a decentralized network with remote users and finite security resources? We start with a Zero Trust strategy.
Zero Trust security is built with modern enterprises in mind and aims to address the increasing security needs of today’s networks:
- Enterprise networks have local and remote users.
- Workloads and resources are split across corporate networks, cloud providers, and SAAS offerings.
- ‘Identity’ isn’t just for humans anymore (machines access resources too).
- Implicit trust is dangerous.
- Security teams can’t grow forever.
Every enterprise will be different and have requirements and resources that make it unique. When discussing Zero Trust, we need to talk about the strategy first, rather than an individual implementation. Many organizations in both the private and public sectors are defining rules and must-haves for Zero Trust implementations. Still, Zero Trust as a strategy is built around the following principles:
Least privilege access and enforcement
The principle of least privilege states that only the minimum necessary rights should be assigned to a subject that requests access to a resource and should be in effect for the shortest duration necessary (CISA, 2013). This principle has been around for a while, but it’s time that we renew our commitment to this vital principle.
Far too often teams claim their networks are enforcing least privilege everywhere when permissions are still incredibly open. In the ‘castle and moat’ model, a user had broad network access and could send traffic to resources which they may or may not have had permission to access. This meant that applications were responsible for authenticating anyone who had access to the service. This is an unacceptable state.
While application-layer security has continued to evolve and become more secure (and still plays an important role in Zero Trust), the fact remains that users without valid access to a resource should not be allowed to connect to that resource at the network layer. By disallowing access at the network layer, unauthorized or malicious actors are typically unable to perform many of the reconnaissance and exploit activities that have allowed them to breach applications in the past. Modern tooling such as Next-Gen Firewalls and software-defined networking are beginning to bridge the historical gaps that have existed between network and application layer access enforcement, making this level of rigor attainable for many organizations.
Secure access to all resources, no matter where they’re located
For decades, adversaries have taken advantage of the aging security paradigm that network location implied that users (or machines) were trusted. Network perimeters were breached time and time again, and unauthorized users gained broad access to resources that were thought to be protected.
Zero Trust dismantles the assumption that the network perimeter is intact and ensures that any identity (human or not) is validated and authorized to access resources. Trust is no longer implicit, which means the traditional network perimeter is all but gone, replaced by security policies that are equally enforced regardless of location. That equal enforcement applies to both users and machine-to-machine access.
The tech industry has seen a drastic increase in automation and changes to application architectures like microservices that require the same level of rigor to secure human or machine access. In addition to the need for uniform access control enforcement, Zero Trust architecture will need to secure all resources of value, meaning nothing should be accessed without first validating the authenticity and authorization of the accessing identity.
Log and inspect everything on your networks
Security teams are finite, and their jobs stretch across more systems now than ever. It’s impossible for security teams to be on the lookout for the detailed types of anomalies that may be cause for concern on any given network.
For this reason, it has become imperative to log and analyze nearly everything that goes on in a network. As the principle of least privilege, the idea that teams should be monitoring their systems is not new. The important distinction with Zero Trust networks is how monitoring is done. In addition to content analysis, Zero Trust networks should be analyzing the identities associated with the traffic and the context of that traffic on their networks. This distinction allows for far superior decision-making and event detection by network monitoring tools and SIEM systems. Increasing the overall observability of your resources and access patterns enables organizations to dynamically control access decisions. Zero Trust networks are expected to take events and context into consideration when determining authorization and allow for access policies to update based on what’s happening in the environment. Observability is critical here, and it starts with a good logging and monitoring strategy.
Zero Trust in Practice
More than likely, if your business is interested in building a system around a Zero Trust system (whether for themselves or a client), then you’ll be looking for a strategy on how you can get there. Unless you’re building a completely new system from scratch, moving to Zero Trust is going to be a journey. Organizations of all sizes will need to make strategic decisions about what to focus on first, all dependent on their business.
Security teams should therefore focus on delivering strategic value through smaller, tactical wins. If you’re not sure where the pain points are for your organization, start by asking questions and inventorying your system. If your team has many disparate identity and access management solutions, focus on consolidating them and using federated access and single sign-on. If your organization grants broad access to users on an internal network, perhaps focus on implementing additional network segmentation and using next-gen firewalls that integrate with your IAM solutions.
There are many different first steps your organization can take, but the bottom line is that the core principles of Zero Trust can be applied to systems at any stage of maturity. Teams can and should focus on what’s important to them now before their next security incident. With each tactical win, your system becomes more and more resilient to the many attack vectors available today, and the barrier to entry for attackers grows higher.
To learn more about the latest insights on organizational security, connect with us on LinkedIn.
References
CISA. (2013) Least Privilege. https://us-cert.cisa.gov/bsi/articles/knowledge/principles/least-privilege
Author
-
Garrett Folks is a Consultant with Easy Dynamics, working with federal clients to design, build, and secure cloud-based workloads. He holds a B.S in Computer Science and specializes in defensive cybersecurity and cloud engineering. He is currently working with GSA’s identity PMO to strengthen the federal digital identity portfolio.
View all posts